On Quadratic Inverses for Quadratic Permutation 
Polynomials over Integer Rings 

Jonghoon Ryu and Oscar Y. Takeshita 
Dept. of Electrical and Computer Engineering 
2015 Neil Avenue 
The Ohio State University 
Columbus, OH 43210 
{ryu.38, takeshita.3}@ osu.edu 

Submitted as a Correspondence to the IEEE Transactions on Information Theory 

Submitted : April 1, 2005 
Revised : Nov. 15, 2005 

Abstract 

An interleaver is a critical component for the channel coding performance of turbo codes. Algebraic construc- 
tions are of particular interest because they admit analytical designs and simple, practical hardware implementation. 
Sun and Takeshita have recently shown that the class of quadratic permutation polynomials over integer rings 
provides excellent performance for turbo codes. In this correspondence, a necessary and sufficient condition is 
proven for the existence of a quadratic inverse polynomial for a quadratic permutation polynomial over an integer 
ring. Further, a simple construction is given for the quadratic inverse. All but one of the quadratic interleavers 
proposed earlier by Sun and Takeshita are found to admit a quadratic inverse, although none were explicitly 
designed to do so. An explanation is argued for the observation that restriction to a quadratic inverse polynomial 
does not narrow the pool of good quadratic interleavers for turbo codes. 
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I. Introduction 

Interleavers for turbo codes [!]-[! 1] have been extensively investigated. Recently, Sun and Takeshita [1] 

suggested the use of permutation polynomial-based interleavers over integer rings. In particular, quadratic 
polynomials were emphasized; this quadratic construction is markedly different from and superior to the 
one proposed earlier by Takeshita and Costello [2]. The algebraic approach was shown to admit analytical 
design of an interleaver matched to the constituent convolutional codes. The resulting performance was 
shown to be better than S-random that of interleavers [4], [5] for short to medium block lengths and 
parallel concatenated turbo codes [1], [3]. Other interleavers [6], [7] better than S-random interleaver for 
parallel concatenated turbo codes have also been investigated but they are not algebraic. 
This correspondence is motivated by work at the Jet Propulsion Laboratory (JPL) [12], [13] for the Mars 
Laser Communication Demonstration (MLCD). The interleaver in [13] is used in a serially concatenated 
turbo code. The work in [13] shows that the quadratic interleavers proposed in [1] can be efficiently 
implemented in Field-Programmable Gate Array (FPGA) using only additions and comparisons. A turbo 
decoder needs also a deinterleaver. In [12], the inverse polynomial of a quadratic polynomial is computed 
by brute force using the fact that permutation polynomials form a group under function composition. It 
is also shown that the inverse polynomial of a quadratic permutation polynomial may not be quadratic by 
a particular counterexample. Therefore two natural questions arise: When does a quadratic permutation 
polynomial over an integer ring have a quadratic inverse polynomial? How do we compute it efficiently? 

In this correspondence, we derive a necessary and sufficient condition for a quadratic permutation 
polynomial over integer rings to admit a quadratic inverse. The condition consists of simple arithmetic 
comparisons. In addition, we provide a simple algorithm to compute the inverse polynomial. Further, we 
argue that this restriction does not seem to effectively narrow the pool of good quadratic interleavers for 
turbo codes. 

This correspondence is organized as follows. In section II, we briefly review permutation polynomials 
[15]-[20] over the integer ring Zat and relevant results. The main result is derived in section III, and 
examples are given in section IV. Finally, conclusions are discussed in section V. 

II. Permutation Polynomial over Integer Rings 

In this section, we revisit the relevant facts about permutation polynomials and other additional results 
in number theory to make this correspondence self-contained. 

Given an integer > 2, a polynomial H{x) = hQ + hix+h2x'^ + - ■ ■+hkX^ (mod A^), where Hq, hi, . . . , hk 
and k are non-negative integers, is said to be a permutation polynomial over Zn when H(x) permutes 
{0, 1, 2, . . . , — 1} [16]-[20]. It is immediate that the constant ho in H{x) only causes a "cyclic shift" 
to the permuted values. Therefore we define the polynomial H{x) — H{x) — ho without losing generality 
in our quest for a quadratic inverse polynomial by the following lemma. 

Lemma 2.1: Suppose that the inverse of a permutation polynomial H{x) is I{x). Then the inverse 
permutation polynomial of H{x) is I{x — ho). Conversely, suppose that the inverse of a permutation 
polynomial H{x) is J{x). Then the inverse permutation polynomial of H{x) is J{x + ho). 

Proof: Suppose the inverse of H{x) is I{x). Then H{I{x)) — x. Consequently, H(I(x — ho)) = 
H{I{x — ho)) + ho = X — ho + ho = X. The other direction can be proved similarly. ■ 
Further, it is well known that an inverse permutation polynomial always exists because permutation 
polynomials forms a group under function composition [12], [18]-[20]. The condition for a quadratic 
polynomial to be a permutation polynomial over Zp, where p is any prime, is shown in the following two 
lemmas. 

Lemma 2.2 ( [16]): Letp = 2. A polynomial H{x) = hix + h2x'^ (mod p) is a permutation polynomial 
over Zp if and only if hi + h2 is odd. 

Lemma 2.3 ( [18]): Let p 2. A polynomial H{x) — hix-\-h2X^ (mod p) is a permutation polynomial 
over Zp if and only if /ii ^ (mod p) and /i2 = (mod p), i.e., there are no quadratic permutation 
polynomials modulo a prime p ^ 2. 
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The following theorem and corollary give the necessary and sufficient conditions for a polynomial to be 

a permutation polynomial over integer ring Zpn, where p is any prime number and n > 2. 

Theorem 2.4 ( [1], [15]): Let p be a prime number and n > 2. A polynomial H(x) = hix + h2x'^ 
(mod p^) is a permutation polynomial over Zpn if and only if /ii ^ (mod p) and /12 = (mod p). 

Corollary 2.5 ( [16]): Let p — 2 and n > 2. A polynomial H{x) — hix + h2x'^ (mod p") is a 
permutation polynomial if and only if /ii is odd and ^2 is even. 

Corollary 2.5 can be easily verified from Theorem 2.4. However, since our proofs in the Appendix can be 
simplified using Corollary 2.5, we keep it for its simplicity. In this correspondence, let the set of primes 
be = {2, 3, 5, ...}. Then an integer N can be factored as N = Ylpev p"''^'^, where p's are distinct primes, 
'nN,p > 1 for a finite number of p and n^^p — otherwise. For a quadratic polynomial H(x) — h\X-\-h2x'^ 
(mod A^), we will abuse the previous notation by writing /i2 = YYpevP^'^'^^ exponents of the 

prime factors of /i2 will be written as nH,p instead of the more cumbersome nh2,p because we will only 
be interested in the factorization of the second degree coefficient. 

For a general N, the necessary and sufficient condition for a polynomial to be a permutation polynomial 
is given in the following theorem. 

Theorem 2.6 ( [1]): For any = YipevP^'^'''^ H{x) is a permutation polynomial modulo A*" if and 
only if H{x) is also a permutation polynomial modulo p"J^>p, \/p such that njv.p > 1- 
Using this theorem, verifying whether a polynomial is a permutation polynomial modulo N reduces to 
verifying the polynomial modulo each p^^'P factor of N. 

Corollary 2.7: Let = YlpevP"'^'^ ^'^^ denote y divides z by y\z. The necessary and sufficient 
condition for a quadratic polynomial H{x) = hix + h2x'^ (mod N) to be a permutation polynomial can 
be divided into two cases. 

1) 2| AT and 4 1 AT (i.e., nN,2 = 1) 

hi + /i2 is odd, gcd(/ii, y) = 1 and /i2 = Ylp^vP""'^->''^H,p > 1, such that p 2 and nN,p > 1- 

2) Either 2 f A^ or 4|A^ (i.e., n^,2 7^ 1) 

gcd(/ii, A^) = 1 and /12 = Ylp^-pP'^ nH,p > 1, Vp such that nN,p > 1. 

Proof: This is a direct consequence of Lemmas 2.2, 2.3, Theorems 2.4, 2.6 and Corollary 2.5. ■ 
The following theorem and lemma are also necessary for deriving the main theorem (Theorem 3.6) of 
this correspondence. 

Theorem 2.8 ( [15]): Let a, b and A^ be integers. The linear congruence au = b (mod A^) has at least 
one solution if and only if d\b, where d = gcd(a, A^). If d\b, then it has d mutually incongruent solutions. 
Let uo be one solution, then the set of the solutions is 

A^ 2A^ {d-l)N 

Uo,Uo + —,Uo+ — , ...,Uo-\ , 

where uq is the unique solution of ^u= ^ (mod ^). 

Lemma 2.9 ( [15]): Let M be an integer. Suppose that M\N and that v = w (mod N). Then v = w 
(mod M). 

III. Quadratic Inverse Polynomial 

In this section, we derive the necessary and sufficient condition for a quadratic polynomial to admit 
at least one quadratic inverse in Theorem 3.6. We also explicitly find the quadratic inverse in Algorithm 

1. If A^ = 2, the inverse polynomial of a quadratic permutation polynomial can be easily constructed. If 
A^ 7^ 2 is a prime number, by Lemma 2.3, there are no quadratic permutation polynomials. If A^ is a 
composite number, it has been shown that the inverse polynomial may not be quadratic by a particular 
counterexample [12]. However, in the following lemma, it is shown that for any quadratic permutation 
polynomial, there exists at least one quadratic polynomial that inverts it at three points x = 0, 1, 2. The 
reason why we look at this partially inverting polynomial is because it becomes the basis for the true 
quadratic inverse polynomial if it exists. 
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Lemma 3.1: Let be a composite number and let F{x) = fiX + /2X^ (mod A^) be a quadratic 
permutation polynomial. Then there exists at least one quadratic polynomial G{x) = giX + g2X^ (mod A^) 
that inverts F{x) at these three points: x = 0, 1, 2. If is odd, there is exactly one quadratic polynomial 
G{x) = gix + g2x'^ (mod A^) and the coefficients of the polynomial can be obtained by solving the linear 
congruences. 

(/i + /2)(/i + 2/2) (/i + 3/2)^-/2 (mod AT). (1) 
gi{fi + f2)+g2{fi + f2Y = l (mod AT). (2) 

If A^ is even, there are exactly two quadratic polynomials Gi{x) = gi^ix + gi,2x'^ (mod A^), 6*2(3;) = 
g2,ix + g2,2x'^ (mod A^) and the coefficients of the polynomial Gi{x) = gi^ix + g'1,22;^ (mod A^) can be 
obtained by solving the linear congruences. 

<7i,2(/i + /2)(/i + 2/2)(/i + 3/2)^-/2 (mod^). (3) 

giAfi + f2) + giAfi + f2f = i (mod at). (4) 

After computing (^fi,!, 5(1,2), {g2,i, ^'2,2) can be obtained by g2,i = gi,i + f (mod A^) and 5^2,2 = gi,2 + f 
(mod A^). 

Proof: See Appendix A. ■ 
Each of the above four linear congruences ([l]), (O, Q and Q are guaranteed to have exactly one solution 
by Lemma 3.1 and Theorem 2.8. It is well known that linear congruences can be efficiently solved by 
using the extended Euclidean algorithm [14]. For example, in congruence Q, the unknown value to be 
solved is gi, fi and /2 are given and g2 can be calculated from dU). The congruence Q can be rewritten 
as 

<7i = (/i + /2)*-(l-^2(/i + /2)') (modA^), (5) 

where (/1 + /2)* means the arithmetic inverse of (/1 + /2) (mod A^). By an arithmetic inverse of s modulo 
A^, we mean a number s* such that ss* = 1 (mod A^). The Algorithm 2 provided in Table HH can be used 
to calculate such an inverse. 

In the following lemma, we show that the polynomials G{x), Gi{x) and 6*2 (x) obtained by solving the 
congruences dU), Q, Q and Q are permutation polynomials. 

Lemma 3.2: The polynomials G{x), Gi{x) and G2{x) obtained in Lemma 3.1 are permutation poly- 
nomials. 

Proof: See Appendix B. ■ 
From Lemmas 3.1 and 3.2, there exists at least one quadratic permutation polynomial G{x) that inverts 
any quadratic permutation polynomial F{x) at three points x = 0, 1,2. However, it does not necessarily 
mean that G{x) is an inverse polynomial of F{x). 

In the following lemma, we show that some exponents n^p's of the g2 which was obtained in Lemma 
3.1 are determined by the exponents np^p^- 

Lemma 3.3: Let A^ = IlpG-pP"^'''' F{x) = fix + f2x'^ (mod A^) be a quadratic permutation polynomial 
and G{x) = gix + g2X^ (mod A^) be a quadratic permutation polynomial in Lemmas 3.1 and 3.2. Then, 
/a = ripGP^'"^''' ^^'^ 92 = YlpevP^^'^ satisfy Corollary 2.7. Furthermore, the following holds, 
case a: 2 f A^ (i.e., rijv,2 = 0) 

If A^ contains p as a factor (i.e., n^^p > 1) then 

ncp = nF,p if 1 < nF,p < nN,p 
ncp > riN,p if nF,p > nN,p 

case b: 2|A^ and 4 f A^ (i.e., nN^2 = 1) 

A^ contains p = 2 as a factor but we do not need to consider how nG,2 is determined by np^2- 
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The reason for this is explained in the proof of Theorem 3.6. 
If p 7^ 2 and contains p as a factor (i.e., njvp > 1) then 



ncp = riF^p if 
ncp > nN,p if 

case c: 4|A^ (i.e., t2,7v,2 > 2) 

contains 2^ as a factor (i.e., 12^,2 > 2). 
lip = 2, 

nG,2 = nF,2 if 
nG,2 > nN,2 - 1 if 



1 < ^F,p < ^iV,p 

i^F,p > n-N^p 



1 < nF^2 < nN,2 - 1 
nF,2 > nN,2 - 1 



If p 7^ 2 and contains p as a factor (i.e., rijvp > 1) then 



1 < riF^p < nN,p 
nF,p > nN,p 



ncp = nF,p if 
ncp > nN,p if 

Proof: See Appendix C. ■ 
Before proceeding further, we need the following lemma. 

Lemma 3.4: Let T(x) = t^x + t2x'^ + tgx^ + Ux* (mod A^) and r(0) = T{1) = T(2) = (mod A^). 
ThenT(x) = (mod N),^x G [0,A^-1] if and only if 24^4 = (mod A^) and6t3 + 36t4 = (mod A^). 

Proof: See Appendix D. ■ 
Combining Lemmas 3.1 and 3.4 gives the following theorem. 

Theorem 3.5: Let F(x) be a quadratic permutation polynomial and let G{x) be a quadratic polynomial 
in Lemma 3.1. Then G{x) is a quadratic inverse polynomial of F{x) if and only if 12/2(72 = (mod A^). 

Proof: See Appendix E. ■ 
We now state our main theorem. It states that the necessary and sufficient condition for the existence of 
a quadratic inverse for a quadratic permutation polynomial F{x) can be simply checked by inequalities 
involving the exponents for the prime factors of A^ and the second degree coefficient of F{x). 

Theorem 3.6 (main Theorem): Let A^ = Ylpi^vP"^^'^^ F{x) be a quadratic permutation polynomial and 
/a = Ylpev P'^''''' '•^^ second degree coefficient of F{x). Then F{x) has at least one quadratic inverse 
polynomial if and only if 



nF,2 > 



nF,3 > 



max 



max 



?ljv,2-2 



™]V,3-1 



1 







if 
if 



1) if 

if 



nN,2 > 1 
nN,2 = 0, 1 

nN,3 > 
nN,3 = 



if 2,3. 



Proof: See Appendix F. 

An interesting question of practical significance is if an interleaver can be its own inverse [2] because the 
same hardware can be used for both interleaving and deinterleaving. It is shown in [2] that this type of 
restriction did not affect turbo decoding performance using interleavers therein proposed. Unfortunately, 
we were not able to identify good self-inverting quadratic permutation polynomials for turbo codes. 



A. Algorithms for Finding the Quadratic Inverse Polynomials 

Algorithm 1 is provided in Table U It finds the quadratic inverse polynomial for a given quadratic 
permutation polynomial F{x) = fix + f2x'^ (mod A^). In Table HH Algorithm 2 is provided to calculate 
the arithmetic inverse of s (mod M), which is required in Algorithm 1. 
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TABLE I 
Algorithm 1 

An algorithm for finding the quadratic inverse permutation polynomial(s) 
for a quadratic permutation polynomial F{x) ~ fix + f2X^ (mod N) 

1. Factor N and /2 as products of prime powers and find the respective exponents of each prime factor. 

i.e., find nN,pS and np,pS for N = IlpepP"""' /a = Upev P""^'" - 

2. Using the riff^p's and n^-p's obtained above, determine if they satisfy the inequalities in Theorem 3.6. 

if yes, check if TV is an odd number, 
if is an odd number. 

There is exactly one quadratic inverse for F{x). 

Let the inverse polynomial be G{x) = gix + g2X^ (mod N). 

.92 = {[(/i + /2)(./i + 2/2)(/i + 3/2)]* • (-/2)} (mod N), where ( )* is given in Algorithm 2. 
51 ^ [(/i + hr ■ (1 - 52(/i + f2f)] (mod N). 
Return G{x) and the algorithm ends, 
else TV is an even number. 

There are exactly two quadratic inverses for F{x). 

Let the two inverse polynomials be Gi{x) = gi^ix + gi,2X^ (mod A'') and 

G2{x) = g2 ix + g2 2X^ (mod iV), respectively. 

51,2 ^ {[(/i + /2)(/i + 2/2)(/i + 3/2)]* • (-/2)} (mod f ) 

51,1 = [(/i + f2)* ■ (1 - 5i,2(/i + f2?)] (mod TV). 

(52.1, 52,2) is obtained by .92.1 = ,91. 1 + f (mod N), 52,2 = 9i,2 + f (mod N). 
Return Gi{x) and G2{x) and the algorithm ends. 

end 

else 

There exists no quadratic inverse polynomial for F{x). 
The algorithm returns no polynomial and ends. 



IV. Examples 

We present three examples to illustrate the necessary and sufficient conditions of Theorem 3.6. The 
first example considers interleavers that are now being investigated in [13]. The second example is a 
generalization of an example in [12]. The third example shows that the verification procedure simplifies 
when is a power of 2, as it was chosen in [1], for a fair comparison with [2]. Remarkably, all good 
quadratic interleavers found in [1] except one admit a quadratic inverse despite the fact that they were not 
designed with this property in mind. This observation may not be completely surprising because [1] shows 
that good interleavers should require the second degree coefficient to be relatively large (which works 
toward satisfying Theorem 3.6) but bounded by some constraints. This conjecture will be investigated in 
a future work. 

Example 1: Let N = 15120 = 2^ • 3^ • 5 • 7, /i = 11 (mod 15120) and /a = 2 • 3 • 5 • 7 • m = 
210m (mod 15120), where m is any non-negative integer. Let m — 1. Since nF,2 = 1 > 
max([^],l), = 1 > max(r^l,l), n^,5 = 1 > Til ^f,7 = 1 > TH and 15120 
is even, by Lemma 3.1 and Theorem 3.6, F{x) has two quadratic inverse polynomials. By 
Algorithms 1 and 2, we can get gi^i = 14891 (mod 15120) and gi^2 = 210 (mod 15120), 
respectively. We can also get g2,i = gi,i+^^ = 7331 (mod 15120) and g2,2 = gi,2+^^ = 
7770 (mod 15120) by Algorithm 1. ' 

If m > 1, there are also two inverses since m only increases np^p, for some p's. Thus, 
regardless of the values m and fi, there exist two quadratic inverse polynomials for F{x). 
Example 2: Let = 5^ and /2 = 5m (mod 5^), where m is an integer such that 5 f m. In this 
case, regardless of the values m and /i, there are no quadratic inverse polynomial, since 
n-F,5 = 1 ^ rfl- However, if /2 = 5^m (mod 5^), where 5 f m, regardless of m and /i, there 
exists one quadratic inverse polynomial since 5^ is odd and nF,5 — 2 > [|]. 
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TABLE II 
Algorithm 2 

An algorithm for finding the arithmetic inverse s* for s (mod M) 
r = 0; 

while (M ^ 0) 

c = s (mod M); 

guot Lj&J; 

s = M; 
M = c; 

r' = s* — quot * r; 
s* = r; 
r = r'; 

end 

Return s* 



Example 3: Let N = 2^° and /2 = 2"^ (mod 2^°). In this case, regardless of the value /i, there exist two 
inverses since 2^*^ is even and nF,2 = 4 > max([^^=^] , 1). Specifically, if /i is 1, the two 
inverses are Gi(x) = x + 496a;^ (mod 2^°) and G2{x) = 513x + 1008x^ (mod 2^°), and if 
/i is 15, the two inverses are Gi{x) = 751x + 272^2 (mod 2^°) and ^2(2;) = 239x+ 784x^ 
(mod 2^°), respectively. 

V. Conclusion 

We derived in Theorem 3.6 a necessary and sufficient condition for the existence of a quadratic inverse 
for a quadratic permutation polynomial over integer rings. Further, we described a simple algorithm 
(Algorithm 1) to find the coefficients of the quadratic inverse polynomial. We also found that almost all 
good interleavers searched in [1] admit a quadratic inverse despite the fact that they were not designed 
with this remarkable property in mind. A possible explanation is given. Although this is left for a further 
investigation, we conjecture that the restriction of quadratic interleavers to admit a quadratic inverse does 
not impair performance when applied to turbo codes. 
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Appendix 

(A) Proof: [Lemma 3.1] 
Let = ripepP"^'*'- ^(0;) = gix + g2X^ (mod N) inverts F{x) at two points: x = 1 and x = 2 (in 
addition, G{x) trivially inverts F{x) at a third point x = 0) if and only if the following two congruences 
have at least one solution set ((71,(72). 

{GoF){l) = G{h + h) = g,(f, + f,)+g,{f, + f,f^l (modiV). (6) 
(G'oF)(2) = G'(2/2 + 4/2) = (71(2/1 + 4/2) + (72(2/1 +4/2)2 = 2 (mod iV). (7) 
By multiplying (2/i + 4/2) to (0) and (/i + /2) to ©, we get 

^1(2/1 +4/2)(/i + /2)+ ^2(2/1 +4/2)(/i + /2)' = 2/1+4/2 (modiV). (8) 
^1(2/1 +4/2)(/i + /2)+ ^2(2/1 +4/2)2(/i + /2) = 2(/i + /2) (modiV). (9) 

By subtracting ^ from ®, 

2^72 (/i + /2)(/i + 2/2) (/i + 3/2) = -2/2 (modiV). (10) 

It can be shown that there exists at least one (72 that satisfies dTUI) as follows. 

If either 2 f or 4| A'^, suppose gcd(/i + f2, N) 7^ 1. Then there is a prime number p such that p\{fi + f2) 
and p\N. However, p \ fi and p\f2 by Corollary 2.7. Thus, p \ {fi + /2) for all p's such that p\N. A 
contradiction. Therefore gcd(/i + f2, N) = 1. Similarly, gcd(/i + 2/2, A^) = 1 and gcd(/i + 3/2, A^) = 1. 
Thus, gcd((/i + /2)(/i + 2/2)(/i + 3/2), N) = l. Consequently, if 2 f A^, gcd(2(/i + /2)(/i + 2/2)(/i + 
3/2), N) = 1 and if 4\N, gcd(2(/i + /2)(/i + 2/2)(/i + 3/2), N) = 2. 

If 2\N and 4 f A^, gcd(2, A^) = 2 and gcd((/i + /2)(/i + 2/2) (/i + 3/2), p) = 1, where p ^ 2 by Corollary 
2.7. Thus, gcd(2(/i + /2)(/i + 2/2) (/i + 3/2), A^) = 2. In summary, if A^ is an even number, we have 
exactly two solution sets, and if A^ is an odd number, we have exactly 1 solution set by Theorem 2.8. 
When A^ is an even number, let ((71,1,(71,2) and ((72,15 ^72, 2) be the solution sets. Then, 

i7i,2(/i + /2)(/i + 2/2)(/i + 3/2)^-/2 (mod^). (11) 
and (72,2 = 5*1,2 + y (i^od A^) by Theorem 2.8. 

When A^ is an odd number, let ((71, (72) be the solution set. Then, the congruence (fTDI) can be rewritten as 
[15] 

^72 (/i + /2)(/i + 2/2) (/i + 3/2)^-/2 (mod AT), (12) 

since gcd(2, A^) = 1. 

After computing (72 using dT^ . or (71 2, (72,2 using Sm and Theorem 2.8, we can compute the corresponding 
gi or 5fi,i, (72,1 using Q respectively. Specifically, it can be verified that (72,1 = (71,1 + y (mod A^). Thus, 
for a given quadratic permutation polynomial F{x), we can find at least one quadratic polynomial G{x) 
that inverts the polynomial F{x) at three points x = 0, 1, 2. 

■ 

(B) Proof: [Lemma 3.2] 
case a: 2 f A^ 

In Lemma 3.1, F(x) is a permutation polynomial. We can thus apply Corollary 2.7 to dlOb and 
reducing it to (mod p) by Lemma 2.9, where p is a prime number such that p\N. 

2(72-/i-/i-/i = (modp). 

Thus ^15^2. since gcd(2 • /i • /i ■ /i,p) = 1, Vp such that p\N. 
By multiplying (2/i + 4/2)^ to ® and (/i + /2)2 to ©, we get 

5i(2/i + 4/2)2(/i + /2) + (72(2/1 +4/2)2(/i + /2)' = (2/1+4/2)' (mod AT). (13) 
^1(2/1 + 4/2)(/i + /2)2 + (72(2/1 +4/2)2(/i + /2)' = 2(/i + /2)2 (mod AT). (14) 
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By subtracting (fT^ from dT^ . 

+ /2)(2/i + 4/2)(/i + 3/2) = 2/2 + 12/1/2 + 14/2' (mod N). (15) 
By Lemma 2.9, Corollary 2.7 and (fTSb . 

2g,. f\. f\. f,=2fl (modp). 

Thus, if then p\2f^, which is a contradiction from Corollary 2.7. 
By Corollary 2.7, G{x) is a permutation polynomial, 
case b: 2\N and 4 f 

We apply Corollary 2.7. First we prove that Gi{x) and G2{x) obtained in Lemma 3.1 are 
permutation polynomials modulo 2. Since F(x) is a quadratic permutation polynomial, /i + /2 is 
an odd number from Lemma 2.2. Thus, (/i + is odd. Let one solution set of Lemma 3.1 be 
fi'1,2)- Suppose (7i 1 + (7i 2 is even, i.e., suppose both of gn and gi 2 are even or odd numbers. 
Then the LHS of ^ becomes an even number. A contradiction, since an even number modulo 
an even number must be an even number but RHS is an odd number and N is even. Therefore, 
91,1 + ^71,2 rnust be an odd number. By Lemma 2.2, Gi{x) is a permutation polynomial modulo 
2. Since gi^i + gi^2 is odd and the second solution set is given as (72,1 = gi^i + y (mod A^) 
and (72,2 = gi,2 + Y ('^od A^), g2,i + (72,2 rnust be odd. Consequently, 6*2 (x) is a permutation 
polynomial modulo 2. For p's such that p 2, using a similar argument as in case (a), it can be 
easily verified that Gi{x) and G2{x) are permutation polynomials, 
case c: 4|A^ 

We apply Corollary 2.7. First we prove that Gi{x) and G2{x) obtained in Lemma 3.1 are 
permutation polynomials modulo 2" where n > 2. 

/2 is even by Corollary 2.5 and y is even since 4| A^. By Corollary 2.5, /i + /2, /i + 2/2, /i + 8/2 
are all odd numbers. Thus (/i + /2)(/i + 2/2)(/i + 3/2) is an odd number. Consequently, gi 2 must 
be an even number in dTTT) by reducing it (mod 2) and using Lemma 2.9. From since /i + /2 
is odd and (71,2 (/i + f2)'^ is even, (71 1 must be an odd number. Finally, (72,1 = + y (mod A^) 
is an odd number since gi i is an odd number, and (72,2 = 91,2 + y (mod A^) is an even number 
since (71,2 is an even number. Consequently, by Corollary 2.5, Gi{x) and G2{x) are permutation 
polynomials modulo 2", where n > 2. For p's such that p ^ 2, using a similar argument as in 
case (a), it can be easily verified that Gi{x) and 6*2 (x) are permutation polynomials. 

■ 

(C) Proof: [Lemma 3.3] 

case a: 2 f A^ 

Suppose that nF,p < nj^^p and np^p < n^p, where p is a prime number such that p\N. From 
Lemma 2.9 and (fT2t 

= -/2 (modp'^^''^"^''""^-'')). 

A contradiction. 

Now suppose that nF,p < nN,p and nc,p < np^p, again, from Lemma 2.9 and (fT2ll 

92- fi- fi- fi = Q (modp"--). 
The LHS cannot be 0, since gcd(/i ■ /i ■ /i,p"^^') = 1 by Corollary 2.7. A contradiction. Thus 

"^G^p = 1^F,p- 

If nF,p > n^^p, from Lemma 2.9 and ([T2b . 

^2-/i-/i-/i = (modp"--), 

which forces nG,p > n^^p. 
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case b: 2|A^ and 41 

Using a similar argument as above, it is easily verified by using Lemma 2.9 and dTTT) . 
case c: 4|A^ 

Using a similar argument as above, it is easily verified by using Lemma 2.9 and (fTTT) . 

■ 

(D) Proof: [Lemma 3.4] 

(^) 

Define To{x) = T{x) = tix + t2X^ + hx^ + Ux"^ (mod A^) and T„(a;) = T„_i(x + 1) - T„_i(x), Vn > L 
If T{x) = (mod A^), Vx e [0, - 1] then T„(x) = (mod A^), Vx G [0, iV - 1], Vn > 0. After some 
computation, it can be easily shown that 

Ti{x) = {h+t2 + t3 + Q + {2t2 + 3t3 + 4U)x + {3t3 + 6U)x'^ + 4Ux^ = (mod A^). 
T2{x) = {2t2 + 6t3 + UU) + {6t3 + 2AU)x + UUx"^ = (mod A^). 
Tsix) = (6^3 + 36t4) + 24t4a; = (mod A^). 

Consequently, in order to ensure T^^x) = (mod A^) for x E [0, A^ — 1], 

24^4 = (mod A^). 
6t3 + 36^4 = (modA^). 

(^) 

Define To{x),Ti{x),T2{x)andTs{x) as above. Then by assumption, Ts^x) = (mod A^), Wx e [0, A^-1], 
and T2(0) = T(2) - 2T(1) + r(0) = (mod A^). By induction, T2{x) = (mod A^), Vx G [0, A^ - 1] 
since T2{x + 1) = T2{x) + Ts{x). By the same procedure, Ti(x) = (mod A^) and T{x) = To{x) = 
(mod A^). ■ 

(E) Proof: [Theorem 3.5] 

{G o F)(x) = x (mod A^) if and only if G{x) is the quadratic inverse polynomial of F{x). 

{GoF){x) = g,{f,x + f2X^) + g2{fix + f2xy (modN) 

= fi9ix + if29i + fi'92)x' + 2fif292x' + f2'g2x'' (mod AT) 
= X (mod A^). 

Thus, G{x) is the quadratic inverse polynomial of F(x) if and only if the following condition is satisfied. 

{f,g, - l)x + {f29i + fi^92)x^ + 2/i/2^?2x3 + f2^92x' = (mod N) (16) 

Let T{x) = {G o F){x) -x = (figi - l)x + {f29i + fi^92)x^ + 2fif292X^ + f2^92x\ By Lemma 3.1, 
r(0) = ^(^(0)) -0 = (mod A^), T(l) = ^(^(1)) -1 = (mod A^), T(2) = G(F(2)) -2 = 
(mod A^). Applying Lemma 3.4, we get 

24/2^^2 = (mod A^). 
86/2^^2 + 12/i/2^?2 = (modA^). 

These can be further reduced to 

12/2^2 = (modA^), 

since gcd(/i + /2, A^) = 1, by Corollary 2.7. ■ 

(F) Proof: [Theorem 3.6] 

(^) 

By Lemmas 3.1 and 3.2, a quadratic permutation polynomial F{x) has at least one quadratic permutation 
polynomial G{x) = gix + g2x'^ (mod A^) that inverts F(x) at three points x = 0, 1, 2. Since it is required 
for a quadratic inverse polynomial to invert F(x) at these points, we only need to check whether G{x) 
is a quadratic inverse polynomial or not. 
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We show that if G{x) is a quadratic inverse polynomial, then the condition on nF,p, where p — 2, holds. 

The conditions for np^p, where p ^ 2, can be done similarly. 

If n]v.2 = 0, 1, whether G{x) is a quadratic inverse or not, ^^^2 > trivially holds and this is why we do 

not need to determine no, 2 in Lemma 3.3, case (b) when nN,2 = 1- 

If nN,2 — 2,3,4, by Corollary 2.7, nF,2 > 1, since F{x) is a permutation polynomial. 



Suppose that G{x) is a quadratic inverse polynomial but nF,2 < 



a quadratic inverse polynomial, 12f2g2 

We divide it into two cases. 
1) niv,2 is odd 



for n;v,2 > 5. Since G{x) is 



(mod N) holds by Theorem 3.5, i.e., HpeP P^'^H (2^ • 3 • 



"■^■^ ^ , thus nF,2 < "^'9 — 1. By Lemma 3.3, ?7,g,2 = ^f,2, thus 2 + nF,2 + '^■0,2 < 



2 ' '"^.^ — 2 
n'N,2 — i < ?T'Ar,2. which is a contradiction since N\12f2g2 implies 71^,2 < 2 
2) njv,2 is even 



nF,2 + nc,2- 



njv,2— 2 



, thus nF2 < 



1. By Lemma 3.3, nG,2 — 'riF,2, thus 2 + ^^,2 + ^^0,2 < 



niV,2 



2 < nN,2, which is a contradiction since ATj 12/25^2 implies niv,2 < 2 + rai?^2 + ^^0,2- 
Similarly, it can be shown that if G{x) is a quadratic inverse polynomial, then the conditions on nF,p, 
where p 7^ 2 is satisfied. ( <^ ) 

We show that if the conditions on nF,p holds, then I2f2g2 = (mod A^), i.e., npepP"^"! (2^-3-npepl^"^'^' 
YlpevP"'^'") holds. We only show that if the condition on nF,p, where p = 2, is satisfied, 2"^>2|(2^ • 2"^'2 • 
2"G 2 ) holds and the case where p 7^ 2 can be done similarly. 
We divide it into three cases. 

1) nN,2 = 0, 1 

If nF,2 > 0, then nN,2 < 2 + nF,2 holds. Thus 2"^.2|(22 • 2"^.^ • 2"g,2) 

2) niv,2 = 2,3,4 

If nF,2 > 1, then as required by Lemma 3.3, nG,2 > 1- Thus, nAr,2 < 2 + ^^^2 + ^^0,2 holds and 
consequently 2"~>2 1(22 . 2"^'.2 . 2'»G,2-) 

3) nN.2 > 5 



If n7V2 > 5, then 



"iV,2-2 



nN,2- 



then nGr,2 = ?^f,2- 
nATo, and if 71^,2 



> 1. By Lemma 3.3, if 11^,2 — 1 > nF,2 > 
Consequently, if 71^,2 is even, 2 + ni?^2 + ?^g,2 = 2 + 2 • ni;'^2 > 2 + 71^^,2 — 2 
is odd, 2 + nF,2 + nG,2 ^ 2 + 2 ■ nF,2 > 2 + njv,2 - 1 > 'nN,2- Thus '2"Jv.2|(22 • 2"^.2 • 2"g,2). if 

nF,2 > ?^Ar,2 — 1, by Lemma 3.3, nG,2 > 'nN,2 — 1- Thus 2 + nF,2 + nG,2 > 2 • niv,2 > ?^iv,2 and 
consequently 2"^-2 1 (2^ • 2'*^-2 . 2'*G,2)/ 
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